Communications Litigation Today was a Warren News publication.
SIM Swaps

T-Mobile Had 'Reckless Approach to Security,' Alleges Plaintiff in FCA Case

T-Mobile’s “grossly negligent” and “reckless approach to security for SIM swap fraud” shows it tried “to profit from the problem rather than fix it,” argued plaintiff Seema Nair in a complaint (docket 5:22-cv-08030) alleging violation of the Federal Communications Act (FCA), filed Monday in U.S. District Court for Northern California in San Jose.

T-Mobile failed to prevent unauthorized changes to the plaintiff’s mobile phone service, including the deactivation of her phone’s SIM card and the transfer of her phone number and wireless service to a different, unauthorized SIM card in a “SIM swap,” said the complaint. The SIM swap resulted in the theft of at least $418,000, loss of data, threats from the hacker, a “substantial increase in the risk of identity theft” due to unauthorized access to confidential personal information, loss of privacy and physical and emotional distress related to the losses, it said.

The plaintiff cited two instances where she alleged T-Mobile failed to protect her information, saying T-Mobile employees effected two unauthorized SIM swaps on her phone. She caught the first successful SIM swap before the hacker could gain access to her accounts and information. A second attempt failed, but on a third attempt, despite her demands that T-Mobile not make any changes on her account without her authorization, “and Defendant’s assurances,” T-Mobile employees permitted a hacker to complete a SIM swap, gain access to her accounts and steal cryptocurrencies valued at about $418,000 at the time, the complaint said.

A SIM swap can't happen “unless the mobile services carrier, through one of its employees, switches the SIM card from the victim’s phone to the hacker’s phone," the plaintiff asserted. Though Nair was able to regain control of her mobile phone service, she wasn’t able to regain immediate control of her email accounts since the hacker had changed the alternate email and phone number on her accounts, she alleged. She was never able to regain access to her Hotmail account, she said.

The hacker demanded two Bitcoin as ransom by text or “we will keep attacking you,” said the complaint. The hacker also sent a photo of the plaintiff’s elderly mother, threatening to “go after her next,” it said. Since T-Mobile “permitted the SIM-swap,” hackers have “stolen her life savings, terrorized her and her family, took possession of the personal information of her and her family, and posted it on the dark web for sale,” the complaint alleged.

T-Mobile sent the plaintiff a letter acknowledging it detected “unauthorized activity” on her account about three weeks after she was initially texted by the hacker, warning her that changing a SIM assignment is one way fraudsters attempt identity theft and that she may want to place a fraud alert, alleged the complaint. The carrier directed her to its privacy statement, which said the company couldn’t guarantee that its safeguards would prevent every unauthorized attempt to use customers’ personal data.

Nair alleged a T-Mobile attorney informed her the carrier “sells phone service, not security” and that terms and conditions of use on the T-Mobile website “specifically disallow recovery for damages due to lost cryptocurrency,” without explaining that the disclaimer is “ineffective under California law because of T-Mobile’s grossly negligent or reckless conduct.”

In addition to alleging violation of the FCA, the plaintiff is charging T-Mobile with negligence, violations of the California Constitutional Right to Privacy and concealment. “Defendant knew that its data security measures were grossly inadequate, that its employees and agents could readily bypass security procedures, that its employees at times cooperated with hackers and thieves, and that it was incapable of living up to its commitments to consumers,” under state and federal laws, and its own privacy policy, to protect her personal information, said the complaint. T-Mobile didn’t comment Tuesday.